Feature Request: Pass GitLab-generated SAST reports between CI/CD pipeline stages

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

Currently, GitLab-generated SAST reports are primarily consumed by the GitLab security dashboard and merge request widgets. However, there's no straightforward way to pass these reports as artifacts between different stages of a GitLab CI/CD pipeline for further processing, custom analysis, or integration with external tools.

Problem

When using GitLab's built-in SAST scanning capabilities, the generated reports are automatically processed by GitLab but are not easily accessible for subsequent pipeline stages that might need to:

  1. Perform custom analysis on the SAST findings
  2. Transform the report format for external tools
  3. Apply custom filtering or enrichment logic
  4. Generate custom notifications or reports
  5. Integrate with third-party security platforms

Currently, users have to work around this limitation by:

  • Re-running SAST scans in later stages (inefficient)
  • Using complex artifact extraction methods
  • Implementing custom solutions to access the security reports

Proposal

Add native support for passing GitLab-generated SAST reports between pipeline stages through one or more of the following mechanisms:

Option 1: Artifact Export

Allow SAST jobs to explicitly export their reports as pipeline artifacts:

sast:
  stage: test
  include:
    - template: Security/SAST.gitlab-ci.yml
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json
    expire_in: 1 week

Option 2: Predefined Variables

Provide predefined CI/CD variables containing paths to generated security reports:

custom_analysis:
  stage: analysis
  script:
    - echo "Processing SAST report from: $CI_SAST_REPORT_PATH"
    - custom-tool --input "$CI_SAST_REPORT_PATH"
  dependencies:
    - sast

Option 3: Security Report API Integration

Allow pipeline jobs to access security reports through GitLab's API using job tokens:

security_integration:
  stage: integrate
  script:
    - |
      curl --header "JOB-TOKEN: $CI_JOB_TOKEN" \
           "$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/security_report_summary" \
           -o sast-summary.json

Use Cases

  1. Custom Security Dashboards: Organizations wanting to create custom security dashboards that combine GitLab SAST results with other security tools
  2. Compliance Reporting: Generating compliance reports that require specific formatting of security findings
  3. Security Orchestration: Integrating SAST results with SOAR (Security Orchestration, Automation, and Response) platforms
  4. Quality Gates: Implementing custom quality gates based on specific security criteria
  5. Notification Systems: Creating custom notification workflows based on security findings

Benefits

  • Improved Workflow Integration: Seamless integration of GitLab security scanning with custom workflows
  • Reduced Redundancy: Avoid re-running expensive SAST scans in multiple stages
  • Enhanced Flexibility: Enable custom processing and analysis of security findings; breaking release pipelines if it finds a critical vulnerability
  • Better Tool Integration: Facilitate integration with external security and compliance tools
  • Standardized Access: Provide a consistent way to access security report data across different pipeline configurations

Implementation Considerations

  • Ensure security report artifacts maintain proper access controls
  • Consider report format standardization (SARIF, GitLab Security Report format, etc.)
  • Provide clear documentation on report structure and available fields
  • Consider performance implications of large security reports
  • Maintain backward compatibility with existing security scanning workflows

Related Issues

This feature would complement existing GitLab security features and could potentially integrate with:

  • Security dashboard improvements
  • API enhancements for security data
  • Artifact management improvements
  • Pipeline efficiency optimizations

Priority

This feature would significantly improve the flexibility and integration capabilities of GitLab's security scanning features, making it easier for organizations to build comprehensive security workflows within their CI/CD pipelines.

Edited by 🤖 GitLab Bot 🤖